Yaniv Hoffman, Vice President Technologies, Radware, looks at the security threats CSPs need to consider when planning protection for 5G networks.
While the rapid advance of 5G communications delivers comprehensive benefits for Asia Pacific communication service providers (CSPs), the new technology also presents challenges in security and cost.
CSPs are entering a new phase of network cloudification to transform their network infrastructure. This technology transformation will capitalize on network function virtualization, Software Defined Networking and Artificial Intelligence.
Their strategy to capture new growth is shifting as well. Future growth is being driven by the move to virtualize mobile core networks in response to growth of user data, the increasing adoption of IoT devices, new 5G business and complex networks.
Network cloudification offers CSPS several major business benefits:
• Capital expenditure benefits from better aggregation and utilization of solutions and services on general purpose hardware.
• Operating expenditure benefits from reduced labour and operational efficiencies gained through cloud automation, agility and scalability, which indirectly impact customer experience.
• Value-added services leverage cloud platforms to enable new services and revenue streams.
The original goals for cloud were to decouple growth from cost and rapidly deliver new services. CSPs did this in 4G environments by transitioning the network elements into big virtual network functions.
These functions were too big and not cost effective. In addition, their use of legacy operations made networks unwieldy to deploy, scale and maintain. These challenges will multiply in the 5G environment.
CSPs understand today they need to derive more from the cloud, which must be rebuilt as cloud-native to deliver business agility in rapidly onboarding new apps and deploying and operating new services. The scale of 5G opens the door to more devices and a diverse mix of services, making it difficult for legacy operations to keep up.
We see more and more CSPs partnering with cloud providers in order to accelerate the 5G transformation journey, which offers benefits such as fully automated deployments, ease of management and orchestration of workload in the hybrid cloud. Essentially, the transformation delivers deployment flexibility and automated scaling of network functions for demand-driven network growth, reducing manual monitoring and operational complexity.
High profile cloud partnerships demonstrate some of the benefits of 5G. These include:
• Microsoft Azure – Microsoft acquired Affirmed Networks (network virtualization provider specializing in vEPC and v5GC). The partnership allowed Microsoft to produce Azuew for Operators, a suite of products with Azure networking and cloud infrastructure, network virtualization and cloud applications, as well as Azure AI and an analytics engine.
• AT&T – At the end of June, AT&T announced that it is moving its 5G mobile network to Microsoft cloud. This strategic alliance provides a path for all AT&T mobile network traffic to be managed using Microsoft Azure technologies. Both companies will start with AT&T’s 5G core, which connects mobiles users and IoT devices to the Internet and other services.
• Nokia and Google – In January, Google Cloud and Nokia announced they would jointly develop cloud-native 5G core solutions for CSPs and enterprise customers. The new partnership will deliver cloud capabilities to the network edge.
• Cisco and Altiostar – They partnered to create blueprints to accelerate deployments of 4G/5G OpenRAN solutions to service provider networks.
• Vodafone and Verizon – They partnered with AWS to explore Edge Computing opportunities.
• VMware has been moving into the telco sector with more updates to its telco cloud platform, including support for Open RAN.
Because of its distributed nature, the deployment of 5G networking infrastructure differs dramatically from previous generations of mobile networks. CSPs face new challenges in moving from a component-based topology to a service-based network.
For example, prior to 5G, mobile radio access and the core networks consisted of isolatable network elements with specific tasks. In 4G networks, a virtual evolved packet core (EPC) in the network emerged.
5G takes this a step further by transforming all network components into virtual, microservice elements that are software based, disaggregated and deployed in various locations.
The software-based microservices architecture enables network slicing. This includes the ability to isolate different services, each with its own parameters, setup and security policies – all on one hardware element.
The 5G network must be designed to support multiple security policies, segregated by slice on individual network components. The more slices, the more microservices and interface points in the network that are in turn exposed to the Internet.
Traditional security methods with predefined rules, thresholds and manual setup will not work in a 5G environment. Service providers need to automate operations and have a scalable infrastructure to manage policies, which requires DevOps capabilities. All security tools need to be automated for onboarding and deployment.
5G networks introduce new traffic patterns that run east/west towards applications. Therefore, there is a need to inspect egress traffic. The number of inspection points increases dramatically not only from peering points, but also from traffic at Edge Computing points.
CSPs need to consider the following unique security threats when planning protection for 5G networks:
• In network edge protection, multiple edge (breakouts) and mesh types significantly increase exposure.
• Outbound attacks include IoT botnets and attacks on the network edge.
• Inbound attacks, include floods from public cloud and from the Internet, and attacks on core network services.
• Network gateway attacks are based on burst attacks, IoT, BOT, API, DNS and SSL, raising complexity and impact on the infrastructure, application servers/telecommunication cloud and API gateways.
• Network slicing occurs when each slice has its own threat risk that requires per-slice security policies and a coherent defensive strategy across all slices. Mobile edge core security infrastructure and 5G availability assurance also require protection.
• Attacks on multi-access Edge Computing components include targeting service capability and mobility management entities. Defenses need to prevent network resource failure.
• Outgoing attacks to external servers from IOT devices are also a risk. IT needs to prevent network reputation risk, while infections targeted towards narrow band IoT devices also require protection to prevent IoT device infection with botnets.
• The public/private cloud edge needs protection. The shift in some areas of workload to the public cloud introduces new security concerns to service provider networks with additional shifts in microservice environment and cloud-native network function.
To counter the many, varied and ever-evolving attacks by cybercriminals, it is essential that organizations include in their defensive armoury WAF/API protection for their cloud-native environments.Click below to share this article